James Raftery


Net::Pcap::Reassemble - IP fragment reassembly for Net::Pcap


 use Net::Pcap::Reassemble;

 my $pcap_t = Net::Pcap::open_offline($opt_p, \$err);
 if (!defined($pcap_t)) {
   print STDERR "Net::Pcap::open_offline returned error: $err\n";
   exit 1;

 Net::Pcap::Reassemble::loop($pcap_t, -1, \&callback, "user data");


This module performs reassembly of fragmented datagrams in libpcap packet capture data returned by the Net::Pcap loop() function. This module supports reassembly of IPv4 and IPv6 fragments.


loop($pcap, $count, \&callback, $user_data)

The loop() function in Net::Pcap::Reassemble is intended as a seamless wrapper around the same function from Net::Pcap and as such it takes the same arguments. Net::Pcap::Reassemble, however, will only invoke the &callback function when it has a complete packet.

The module will print debug information to stdout (mainly packet header values) if the $debug variable in the package namespace evaluates to true:

 $Net::Pcap::Reassemble::debug = 1;

Layer 2 header data (typically an ethernet header) will be omitted from the packet supplied to the callback function if the $stripl2 variable in the package namespace evaluates to true:

 $Net::Pcap::Reassemble::stripl2 = 1;

The flush() function destroys the data structures storing any incomplete datagrams. This function can be called after loop() has returned to release memory used by the fragments of incomplete datagrams (assuming your program continues executing after the loop() finishes).


Data is represented internally using Net::Pcap::Reassemble::Packet and Net::Pcap::Reassemble::Fragment class objects.


Each `Packet' object represents a complete captured packet and contains:

  1. An ID: 'srcip dstip IPid protocol' for IPv4; 'srcip dstip IPid' for IPv6

  2. A list of Net::Pcap::Reassemble::Fragment object references

  3. The final octet, learned from the packet with MF==0

  4. A flag to indicate if the fragment list is sorted

It has class functions to add a fragment to the Packet (addfragment()), return a string with information on the fragments received so far (listfragments()), and to test whether a datagram is complete and return its data if it is (iscomplete()).


Each `Fragment' object represents an IP datagram fragment and contains:

  1. Start octet

  2. End octet

  3. (M)ore (F)ragments flag (`MF' in IPv4; `M' in IPv6)

  4. Payload data

It has class functions to return the data above (start(), end(), mf() and data()), and a summary string for debugging (vitals()).




  • Stale fragments are not aged out of the pending fragment list. We could look at the pcap header for the capture time of each packet and age out based on that.

  • This module offers no resistance against fragment overlap attacks, and other such malarky.

  • loop() should accept an optional anonymous hash reference for option passing.

  • Incomplete datagrams are left in limbo. Should be able to signal via an option that the callback be invoked for individual fragments aswell as the complete datagram.

  • The IP header in the packet supplied to the callback is from the first datagram. Length and checksum values will be incorrect with respect to the reassembled datagram that the callback sees. The layer 2 header, if present, will be from the last datagram to be captured.


This program is free software; you can redistribute it and/or modify it under the same terms as Perl itself. (Being a speaker of British english, I'd call it a "licence" though)


James Raftery <james@now.ie>.